Every day I experience life in the world of healthcare IT, supporting 3000 doctors, 18000 faculty, and 3 million patients. In this blog I record my experiences with infrastructure, applications, policies, management, and governance as well as muse on such topics such as reducing our carbon footprint, standardizing data in healthcare, and living life to its fullest.

Monday, December 31, 2012

It's the time of year that many writers reflect on the major events of the past 365 days. I'll let the journalists cover the impact of the election, the epidemic of senseless violence, and the scandals of infidelity.

To me, there were 5 major healthcare IT events in 2012 that we need to recognize and celebrate:

1. EHR adoption became unstoppable - In 2010, the Beth Israel Deaconess Physician's Organization changed its bylaws to require a certified EHR as a condition of practice. Even in 2010 this was controversial and we had long discussions about exceptions for specialists and grandfather clauses for early adopters of EHRs which lacked the interoperability we required. In 2012, any such discussion became moot. 90% of our entire community of affiliated clinicians have attested to meaningful use. As Beth Israel Deaconess expands its accountable care organization, one of the first questions asked by potential partners is the IT integration strategy. In every community I visit in the US, clinicians are speaking about their EHR experiences. Initial implementations were often challenging, but I've not found a clinician who wants to revert to a paper world.

2. Health Information Exchange became real - In Massachusetts and many other state states, communities are exchanging data for care coordination and population health. Unambiguous transport, content, and vocabulary standards have taken the guesswork out of health information exchanges. Although technical issues have been solved, there are remaining business sustainability issues for some HIEs, but several have found that stakeholders will pay for data sharing from the money saved through cost avoidance as new business processes are enabled.

3. Standards harmonization became a process instead of an emotional debate - Having been involved in standards making. implementation guide writing, and regulation formation for the past decade, I can say that 2012 was a year in which creating/choosing standards become a well defined public/private process without any of the religious wars of the past such as "my XML is better than your XML". Each time there was a question to be answered, experts came together using a common process and either produced a definitive answer or concluded that existing standards were not sufficiently mature for adoption, encouraging the marketplace to experiment with novel approaches. For example, Massachusetts designed a very simple SOAP-based query/response approach to provide directories.

4. Patient and family engagement went mainstream - In 1999 when Beth Israel Deaconess launched Patientsite, it was considered very controversial to provide patients view/access/download to electronic health records. In 2010 when we added the full text notes created by clinicians, the myths about straining the physician/patient relationship with too much transparency still persisted. In 2012, it is now part of the Beth Israel Deaconess medical staff bylaws that clinicians share all electronic data with patients.

5. Privacy and Security in healthcare began the journey to maturity - As I've written previously healthcare has traditionally under-invested in the processes, procedures, and documentation needed to create a mature security program. Just as strong enforcement by the Securities and Exchange Commission created a culture of compliance that led us to trust in the integrity of the stock market, so does strong enforcement of HIPAA motivate hospitals and professionals to create a culture of security. Every healthcare CIO I speak with confirms that 2012 was a year in which security projects became their top priority.

Of course there were other trends in 2012 - every vendor developed a cloud strategy, clinicians went increasingly mobile, and tablets became the new desktop. Meaningful Use Stage 2 gave us a roadmap for the work of the next year. ICD10 was delayed until October 1, 2014.

Overall, life as a CIO also changed.

As a CIO in 1998, I wrote code and architected web infrastructure. As a CIO in 2012, I focused on change management, governance, budgets, developing the next generation of IT leaders, and communication. Although I have changed in the past 15 years, the healthcare IT industry itself has matured and the nature of being a CIO in 2012 requires a skill set beyond mastery of technology. As we approach 2013, I will again strive to maintain my equanimity, empower my stakeholders to select those IT priorities which best meet their requirements, and avoid becoming the rate limiting step in any process. 2013 will be a year with many important projects and a new set of regulatory requirements, but in many ways I think 2013 will be more about getting projects done and less about managing the disruption of change. 2012 set the course and we're all headed to a great future. Now we just have to do the work that will get us there.

Tuesday, December 25, 2012

Monday, December 24, 2012

It's Christmas Eve and we're gathered around the hearth at our farm awaiting the Christmas snowfall that is forecast tonight for New England.

I've split logs from an oak tree that blew over during Hurricane Sandy and cut thin flakes from an old cedar tree that fell at the edge of our pasture. The cedar's oils pop and crackle in the fire, so I only use small pieces at a time. The room is filled with the scents of the balsam fir Christmas tree, the smoky sweetness of burning oak/cedar, and an apple crisp made from the orchard next door.

The animals are tucked in for the evening. The chickens and guinea fowl are roosting in the rafters of their coop, near the warming panels we installed for sub-freezing nights like tonight.

The dogs are curled up together in the hayloft after a day of running and rolling in the sunny pasture.

The alpacas and llama are sitting under the ice-ringed moon with their legs tucked under their bodies. They only sleep in the barn on windy or rainy nights.

The forest is still and the only sounds that echo through the rolling hills are twigs snapped by wandering deer, the quiet hum of wild turkeys in the pine trees above the paddocks, and the whistle of a distant train.

To me, Christmas is a state of mind - a sense that for a day or two the anxieties and conflicts of the world can be set aside so families can revel in the positive aspects of the past year and the anticipation of good things to come.

2012 was a turbulent time for us with family health issues, a pace of healthcare IT projects that exceeded any previous year, and many transitions as we sold our home/my father in law's home, closed Kathy's studio/gallery, and consolidated everything to Unity farm.

As we approach the end of the year, there are undone tasks and unresolved challenges. Some define anxiety as a feeling of fear and concern about the unknown. On Christmas Eve, I know that for every future setback there will be a process to make it better. There's no reason to worry today about what might or might not be.

Especially today I'm willing to put aside every negative memory or emotion and focus on the overall path for 2012 which has been overwhelmingly positive.

My wife is cancer free and enjoying every day in her new role as farmer's wife (no blind mice or carving knives involved)

My daughter has a new sense of independence after becoming a confident driver and taking on responsibility for all aspects of her personal life. Mom and Dad are always available to provide assistance and advice, but we're a safety net not a guiding force.

My parents are steadily improving after a year of several health issues. They openly discuss all the possibilities for the future and the stepwise path to ensure they have the highest quality of life possible.

My colleagues in all my IT worlds - international, Federal, State, and BIDMC continue to a make a difference every day by improving the quality, safety, and efficiency of patient care.

My own health, mental and physical, is the best it has ever been and I feel a great sense of well being.

May you all have a holiday season with the nurturing joy and love of the season, taking in the sights, smells, and emotions that remind us of all of the good things this world has to offer.

Thursday, December 20, 2012

I recently spoke with the owner of a 200 acre farm where he and his wife run a CSA, breed goats, and raise cattle. As a vegan, I'm always interested in how farmers who raise livestock for meat address the issue of the emotional bond between the caregivers and the animals.

One common theme I've heard is that farmers and their families do not name animals they intend to sell or process for meat. It's really awkward to respond to a child's innocent "what's for dinner question" with an answer like "Spot" or "Buddy".

As vegan/vegetarian farm, we have no plans to eat any of our animals and each of them is named for their unique personal characteristics.

Our llama is named "Black Orchid" because of her dark fur and elegance.

Our female alpaca are:
Mocha - she's a chocolate brown color and always interested in delectable foods
Daisy Mae - she's sweet, petite, and good natured
Ella Mae - she's the kind hearted mom of Daisy
Tinkerbell - she's light on her feet and always dashing about
Persia - she has alluring eyes and dark luxuriant lashes that make her look like a mysterious female from the East

Our chickens are:
Sunny - she's our gold colored buff orpington
Chocobo - she's named after a character in "Final Fantasy" that looks like a yellow/gold chicken, perfect for a buff orpington
Midnight - she's our jet black Jersey Giant who is highest on the pecking order
Pingu - her name Japanese for "penguin" which is fitting for a black Jersey Giant with a touch of white
Snow - she's our white, fluffy Brahma
Velma - she's our smartest chicken, a Brahma, who is named for the Scooby Doo character Velma Dinkley
Chipmonk - she's our Ameracauna with stripped coloring just like a chipmunk
Zephyr - she's our breezy barnyard Ameracauna wanderer who is always running from one place to another
Clover - she's our white Ameracauna who enjoys rolling in the grass
Silver - she's our shimmering white Ameracauna with a heavy, thick neck
Terra -she's our first egg layer who enjoys her earthy dust baths
Rainbow - he's our multicolored Ameracauna rooster
Lucky - he's our rescued rooster who now spends his day in the company of 11 female chickens instead of being prepared for Sunday dinner

Our Great Pyrenees Mountain dogs are Bundle and Shiro. Our cat is Lily and we may adopt two rescue cats - Toby and Blessings.

Admittedly the Guinea Fowl are hard to identify separately because they are all genetically related. We do have 2 whites, 7 blacks, and 9 grays. One of the blacks is Piebald.

Whenever I'm running through an airport (most are vegan food deserts), I'm often presented with food choices like chicken caesar or some kind of poultry nugget. Not only does my commitment to veganism keep me from such foods, but the thought of eating Sunny, Chipmonk or Lucky is unconscionable.

Naming the animals is one of the great pleasures of life on the farm. Every day when I'm moving hay, filling water, and shoveling manure, I can address everyone by name, wishing them good morning or offering words of encouragement.

Wednesday, December 19, 2012

The December HIT Standards Committee focused on the reality of implementing the Meaningful Use Stage 2 Standards and Certification rule in the real world of hospitals, clinician offices, and healthcare information exchanges.

First, Liz Johnson and Cris Ross provided a detailed review of the 7 waves of certification test scripts. We discussed several recommendations to clarify and streamline the testing process. In early 2013, the implementation workgroup will complete clinical scenarios to be used by certification bodies. In February 2013 the workgroup will host public hearings to solicit feedback. BIDMC has offered itself as a site to pilot these scripts. The goal is to produce final and piloted scripts in the Spring of 2013, aligning with the timing of vendor product releases and their readiness for Meaningful Use Stage 2 certification.

Next, Dixie Baker presented an excellent summary of the recent hearings on Trusted Identity of Patients in Cyberspace. She defined the essential terms - identity management and authentication then emphasized their importance in the patient/family engagement provisions of meaningful use stage 2.

Dixie also presented the Privacy and Security Workgroup Recommendations on the security certification for modular EHRs. I speak with the press frequently and some reporters have noted that the current meaningful use stage 2 rules may reduce overall security by not requiring formal certification criteria or documentation that would assure the "sum of the modular parts" is appropriately secure. Dixie's recommendations address this concern by offering 3 security certification options for modular EHRs

Jamie Ferguson and Betsy Humphreys presented the need to use Current Dental Terminology (CDT) for specific quality measures that require structured information about dental procedures. The committee supported this by consensus as long as the wording of the recommendation only requires CDT for EHRs that calculate specific dental quality measures.

I've written about some of these themes in previous posts and each has their uncharted territory.

One component that crosses several of my goals is how electronic documentation should support structured data capture for ICD10 and ACO quality metrics.

How are most inpatient progress notes documented in hospitals today? The intern writes a note that is often copied by the resident which is often copied by the attending which informs the consultants who may not agree with content. The chart is a largely unreadable and sometimes questionably useful document created via individual contributions and not by the consensus of the care team. The content is sometimes typed, sometimes dictated, sometimes templated, and sometimes cut/pasted. There must be a better way.

I recently attended a two day retreat to brainstorm about novel approaches to clinical documentation.

Imagine the following - the entire care team jointly authors a daily note for each patient using a novel application inspired by Wikipedia editing and Facebook communication. Data is captured using disease specific templates to ensure appropriate quality indicators are recorded. At the end of each day, the primary physician responsible for the patient's care signs the note on behalf of the care team and the note is locked. Gone are the "chart wars", redundant statements, and miscommunication among team members. As the note is signed, key concepts described in the note are codified in SNOMED-CT. The SNOMED-CT concepts are reduced to a selection of suggested ICD-10 billing codes. A rules engine reports back to the clinician where additional detail is needed to justify each ICD-10 code i.e. a fracture must have the specifics of right/left, distal/proximal, open/closed, simple/comminuted.

You can imagine that the moving parts I've described are modular components provided by different companies via cloud hosted web services (similar to the decision support service provider idea)

We've been speaking industry leaders such as m*modal, 3M, and Optum about these ideas.

Early adopters including Kaiser, Geisinger and Mayo are already working on elements of this approach.

However, there are challenges.

1. Clinicians are not broadly trained in the use of SNOMED-CT. It may be that SNOMED-CT should be used for internal storage of structured data but only friendly plain text descriptions are displayed to users.

2. Will CMS, the Joint Commission, and malpractice insurers accept the concept of jointly authored care team notes?

3. Implementing all 5 applications/modules at once may be too much change too quickly, making the overall project high risk

5. Will companies be willing to create such modules/services at a time when few EHRs are likely to interface to them? As Meaningful Use Stage 3 is finalized, I expect some of this functionality to be required

We have 22 months before ICD-10 compliance is required and complete documentation in support of the new codes must be available. We need to work fast. Tomorrow we have an internal conference call to plan next steps - what module or modules do we work on first? We have companies interested in partnering with us on Modules 2 and 3. The National Library of Medicine's VSAC is developing module 4.

I welcome your advice - have you discovered emerging products that might be useful for our exploration?

Have you considered how to take your clinical documentation to the next level?

Monday, December 17, 2012

Last Wednesday I was in Washington DC speaking at the ONC annual meeting and the speaker who preceded me was Leon Rodriguez, Director of the Office of Civil Rights. On Thursday, I was in Boston speaking at the HIMSS Privacy and Security Forum and the speaker who preceded me was Leon Rodriguez. Now that Leon and I are doing roadshows together, I have a broader understanding of the privacy and security enforcement goals of the Obama administration.

In the past, as an operational CIO, an academic studying approaches to healthcare information exchange, and as co-chair of the HIT Standards Committee, I've focused on security technology (FIPS 140 encryption, ASTM audit trail standards, two factor authentication, remote access, intrusion detection, zero day defense etc.) and the enabling policies that support best practices.

While this has been effective, as measured by downtime, breaches of devices under IT control, and a balance between ease of use/access restriction, the entire healthcare industry is still on a journey toward security program maturity.

What do I mean?

A mature program uses a framework such as NIST 800 to serve as rubric for stakeholder analysis of risk. Such a framework ensures that stakeholders consider all the elements of risk and not just the ones that are top of mind for experts in the room. Risks can be physical security, mobile devices, human factors including staffing levels that concentrate expertise in too few people, configuration policies, and timeliness of audit log reviews. In the past, many CIOs in healthcare have been given enough security staff to support operations but not enough staff to create the processes, policies, and documentation that reflect a mature, optimized program.

If you take a look at Leon's slides, you'll see that the Office of Civil Rights wants to ensure organizations have done a thorough risk analysis. I would recommend doing this yearly. Once the risk analysis is done, stakeholders including Boards and senior management should prioritize risk, develop mitigation action plans, and document their decisions.

Leon and the OCR understand that breaches can occur in effective and mature security programs i.e. no technology can stop an authorized user from using a digital camera to take a photo of protected healthcare information on a computer screen then sharing that photo inappropriately.

OCR wants to ensure organizations have created a culture of compliance that goes beyond security technologies. It includes education, incident responses, and documented discussion that demonstrate an organization and its staff consider security and privacy as part of their duty and daily work lives.

Leon made very thoughtful comments at both venues. Although the press has called the HHS log of reported privacy breaches the "Wall of Shame", Leon does not use this term. A breach is investigated to ensure that the right processes were in place at the affected organization to mitigate risk. The findings are used to educate the entire industry. Fines are issued when organizations did not follow the compliance requirements of HIPAA and HITECH, not because of the breach itself.

My take away from this is that all IT organizations should spend the next few years adding polish to their policies, procedures, documentation, education, and process efforts. BIDMC has embraced NIST 800 for this effort and thus far it is going well.

A final thought. This work takes resources, both capital and operating. However, Boards and senior management are likely to be receptive to security resource requests in 2013, since the cost of non-compliance can easily exceed the cost of the additional people needed to create a mature security program.

Thursday, December 13, 2012

As I've mentioned in previous posts, our male alpacas are guarded by two Great Pyrenees Mountain dogs, Bundle (a one year old female) and Shiro (a 6 month old male). Bundle is 70 pounds and not likely to grow much more. Shiro is 70 pounds and likely to grow to 100 pounds.

At the farm, we have a routine. In the early morning, when we do chores (stock the hay feeders, fill water buckets, haul manure etc.) we give the dogs breakfast biscuits. Great Pyrenees tend to guard their food, so the dogs carry their treats to opposite ends of the paddock and savor them. As we finish the chores, I ask Bundle to get her leash (it's sometimes a favorite tug of war toy for the dogs) and we run a few miles on surrounding trails. Bundle is very interested in finding deer, wild turkeys, and small mammals. Shiro is more interested in following Bundle then stealthily jumping on her when she least expects it. Since Shiro goes where Bundle goes, he does not need a leash at this point in his life (although mature male Great Pyrenees tend to wander).

I've cut 3 trails through the woodland - the Orchard trail, the Old Cart Path (used in Colonial days), and the Marsh trail. The dogs run as fast as they can along the Orchard trail and up the stairs I've built in an old rock wall to access the neighboring 55 acre orchard where they can play in the grass, roll down hills, and enjoy all the interesting plant/animal smells they discover between the old apple trees.

After a run around the orchard, we return to the Orchard trail and run back to paddock. Great Pyrenees tend to sleep during the day and guard at night when predators are most active. After their run, the dogs fall asleep under the hay feeder or in the hay loft. They never seem to mind the cold since they have a double coat of insulating fur. Bundle would rather stay dry but Shiro enjoys digging in the mud before sleep. It's puppy heaven.

Before evening chores, we run the Old Cart Path, often finding the 30 wild turkeys that roost in pine trees above our stream. In the longer days of Summer and Fall, Bundle and Shiro enjoy a few minutes of tumbling together in the tall grass of the pasture before heading back to the paddock. While we are cleaning the barnyard and replenishing food/water/minerals for all the animals, the dogs eat dinner in separate areas of the barn to avoid any squabbling over food. Although our farm is entirely vegetarian/vegan, the dogs eat an appropriate diet for an omnivore. Although it is possible, I would not recommend a vegan diet for dogs and cats.

After all the animals are secured and settled for the night, my wife and I return to the house to prepare our own dinner. The dogs begin the vigilant watch of the barn yard.

Two dogs, a 300 pound llama and a 5 foot electric fence has proven to be an effective deterrent for the coyotes, fisher cats, and foxes in our forest.

Whenever a predator threatens, the dogs bark at it wildly, raising an alarm. When I hear them, I venture out to the paddock to ensure all is well. The dogs great me as if they have not seen me in years. They can never be petted enough. Both dogs are incredibly strong and try to tackle me to the ground in play.

On the rare occasions that I must discipline the dogs (See The Guinea Fowl Who Lost His Mojo)
they are genuinely upset by the disapproval of their pack leaders (the humans). They sulk and beg forgiveness.

At any time of day or night, with fair and foul weather, in any situation, the dogs give their love unconditionally.

Bundle and Shiro are always happy to serve, eager to play, and thankful for a rub behind the ears. They seek approval and take their alpaca guarding work very seriously.

They look forward to the daily rituals we've developed and definitely feel a loss when my schedule breaks the pattern (going to Washington DC at 4am conflicts with the morning run)

We have affection for all the citizens of Unity Farm, but the unconditional love of dogs creates a special bond for us. I look forward to sharing the next decade of our lives together.

Wednesday, December 12, 2012

Today I'm speaking at the ONC annual meeting as part of panel discussing interoperability.

For years, patients, providers and payers have complained that EHRs "do not talk to each other"

By 2014, I expect this issue to disappear.

Why?

Do I expect that every state and territory will have a robust, sustainable healthcare information exchange by 2014? No

Do I expect that every provider will be connected to a Nationwide Health Information Network by 2014? No

Do I expect that a single vendor will create a centrally hosted method to share data by 2014 just as Sabre did for the airline industry in the 1960's? No

What I expect is that Meaningful Use Stage 2 will provide the technology, policy, and incentives to make interoperability real.

Stage 2 requires that providers demonstrate, in production, the exchange of clinical care summaries for 10% of their patient encounters during the reporting period. The application and infrastructure investment necessary to support 10% is not much different than 100%. The 10% requirement will bring most professionals and hospitals to the tipping point where information exchange will be implemented at scale, rapidly accelerating data liquidity.

Stage 2 requires that more than 5 percent of patients with inpatient or outpatient encounters (or their authorized representatives) to view, download or transmit to a third party their information during the EHR reporting period. The Automate Blue Button initiative is an example of this functionality. It puts the patient in control by enabling query/response or publish/subscribe retrieval of care summary data from EHRs. Just as the 10% threshold for exchange of summaries between providers will encourage technology and policy implementation, the 5% threshold for patient-provider exchange means that software, educational materials and processes will be put in place to engage patient and families in novel ways. If not, hospitals and professionals will not qualify for stimulus dollars.

A subtle point in the final rule that some may overlook is the statement above "patients (or their authorized representative)". The Social Security Administrative, with patient consent, could act as an authorized representative and retrieve medical history in support of disability claims. Innovative third parties offering consumer oriented decision support, care management services, or home health might act as authorized representatives. The patient access provisions will create an ecosystem of products - an app store for health.

The standards included in Meaningful Use Stage 2 are unambiguous. Content, vocabulary, and transport standards backed by comprehensive implementation guides and resources like the National Library of Medicine's Value Set Authority Center (VSAC) eliminate the gaps in semantic interoperability that were an impediment to interoperability in the past.

Finally, in addition to stimulus payment incentives, Accountable Care Organizations/Value-Based Purchasing risk contracts make redundant testing a cost rather than a profit center, motivating hospitals and professionals to share data across communities.

With certified technology, standards, and incentives to share data among providers and patients, 2013-2014 will usher in a new era of interoperability.

My daughter will be 21 years old in 2014. It is my hope and belief that she will never face paper-based uncoordinated care in her adult life. With Meaningful Use Stage 2, CMS and ONC have laid the foundation to make that possible.

Thursday, December 6, 2012

This is our first winter on the farm and although we have prepared the barn, pasture, woodlot, coop, and animals for the cold weather we do not yet have Christmas traditions at Unity. This year, we have to make them.

Using local materials from local vendors, we've added garlands of white pine and fir to the barn, pasture gate and house entryway. We've hung wreaths on the sheds and added swags of juniper to our light posts.

Mistletoe kissing balls surround the front door. We've decorated a living Christmas tree in front of the house. We've added strings of Christmas lights to selected trees and woven lights into the strands of pine garland.

Our 15 acres are filled with oaks, cedars, pines, birch, and poplar. Hurricane Sandy blew over a few older, dead trees. I've cut them up and split the wood into 3 neat cords for Christmas fires in our stone hearth and wood burning stove (made in 1880).

Indoors we'll find a place to build our model New England village and create a miniature barnyard around the creche from my childhood.

A Lionel train will circle a small indoor Christmas tree that we'll harvest this weekend.

Christmas stockings for my wife and me, our daughter, my father-in-law and our animals will be hung on the chimney with care.

While we do not have reindeer, we do have a four point buck and five does living in our meadow.

Christmas dinner will include a medley of root vegetables from our cellar, Japanese pumpkin (kabocha) simmered in rice wine and soy sauce, potatoes, baked apples, homemade tofu, and blueberry pie.

Life on a farm means that gifts are practical. Warm, waterproof gloves for cold early morning work in the paddocks. A vest to break the chill of a windy day. A few woodworking tools (last year my wife gave me a splitting maul and Swedish forest axe). We make our own soaps on the farm and we'll be giving gifts that range from an oatmeal scrubbing soap to a poppy seed facial soap. I cut up a 100 year old cedar that fell in recent storms and we'll be giving blocks of its aromatic purple wood to keep moths out of closets.

The traditions we're building at Unity Farm will bond me to the place, the citizens (animal and human) living there, and the familiar rituals we create. There is something timeless about working the land and creating a celebration of the season with a loving family around you. We are defined by the experiences, good and bad, in our jobs, our relationships, and our environment. Preparing for Christmas on the Farm has healed the bad, multiplied the good, and given me the equanimity I have yearned for in 2012.

My daughter still has the silver bell she received from our ride on the "Polar Express" in New Hampshire when she was a child. We'll hang it on our first Unity Farm christmas tree and I'm confident that this season we will all be able to hear its sweet, resonant sound.

Wednesday, December 5, 2012

Over the past few months I've been talking to many industry leaders about the challenge of matching IT supply and demand. Governance committees are essential but are not enough when the number of project requests is so large that they become difficult to triage.

Objective, quantitative scoring criteria can help.

Intel has implemented a Business Value Index that is based on numerical scoring of

"We take all inbound requests, whether captured by helpdesk or in meetings. A clinical informaticist reviews the request and presents it at our scoring committee meeting, which lasts for about an hour each week. The informaticist provides a preliminary scoring, and the group either confirms it, adjusts it, or sends it back for more research. Occasionally a request will be outright denied at the meeting if it just doesn't make sense. We have an appeals process for the requestor but it is rarely used. All requests, regardless of age, are kept in a rank ordered list by priority based on score. The application teams work from the top of that list downward, and they don't pick up anything new from the list until something currently underway is completed. Lastly, we reserve some capacity for fast track (easy items) which can be done even if lower on the list."

Tuesday, December 4, 2012

Per the theme of security assessment I've been posting about, part of crafting a multi-year security roadmap is examining technologies and practices that have limited use in healthcare but are widely deployed in other industries.

Application Security Testing - Vendor applications including those with FDA 510k approval may have security vulnerabilities. Testing third party products with source code analysis tools can find defects that are missed by traditional vulnerability scanning software. Related to Application testing is third party vendor management. Testing and verifying the security of cloud hosted service providers and business associates is becoming a best practice.

Data Loss Prevention - Although many healthcare organizations have strict policies on the use of email, social networking, cloud storage, remote access, and mobile devices, it's increasingly import to have technology in place that enforces policies, preventing users from violating policy by sending data to non-secured locations i.e. sending patient information to a referring clinician who uses Gmail. Many vendors offer appliances that quarantine, notify, restrict, and manage the flow of email containing person identified information/protected healthcare information. Related to DLP is a strategy to prevent use of unencrypted storage devices - thumb drives, DVDs, CDs etc.

Adaptive Authentication - Critical applications, including email, enterprise resource planning , and clinical applications deserve increased authentication rigor. For example, if a user is not typically outside the US and suddenly logs in from an unexpected location, then the user should be challenged with an additional factor. Approaches could include a secret question or a one time PIN code sent to a known cell phone. Such applications can also perform a risk analysis of authentication events to detect anomalies, including authentication events using compromised accounts and suspect IP addresses.

As with other posts on such topics, I look forward to comments about your plans and experiences in these areas.

Monday, December 3, 2012

I've mentioned in previous blogs that BIDMC has contracted for an enterprise wide security assessment to ensure our security projects are aligned with best practices. Over the next few months I'll write several posts about the issues we've reviewed and the evolution of our thinking about security.

Today I'll start with something basic.

What is the right frequency to require passwords changes?

Many security experts and commonly used guidelines suggest a 90 day password expiration frequency.

To understand the common practices of hospitals in Massachusetts, I asked many of my peer CIOs about their password change policies. The answer - some organizations are at 9 months, some are at 6 months, and some are at 3 months. One is at 4.5 months - a compromise between 3 months and 6 months.

Two questions we need to answer before crafting the ideal policy.

1. Does changing passwords frequently actually increase security?

2. What is the impact of frequent password changes on the user experience (especially for smartphone and iPad users)

For question 1 - The benefit of requiring a more frequent change to passwords has been the topic of debate within the IS community for years. While many experts claim shortening the period reduces risk, others argue the opposite because users cannot remember frequently changed passwords and write them on post it notes which they affix to their work area.

Here are three references which suggest that increasing password frequency reduces security.

For question 2 - Frequent password changes can be challenging for users of mobile devices. Generally, something like this happens

You change your password via a desktop application
Your iPhone and iPad try to synch email before you can change the password on them
Your account is locked out for 20 minutes
You try to change your password on your mobile devices but you cannot because of the lock out
You call the IS help desk and they remove the account lock but you spent two hours trying to change the password on all your mobile devices before the account is locked again, calling the help desk several times.

I'm sure there is an ideal way to do this i.e. turn off all the cellular and network connections on your mobile devices and change your password via a desktop application. Then, change them on your mobile devices before reimplementing wireless network connections.

Regardless, doing this every few months will increase help desk support call volume and user frustration.

A side effect of creating a suboptimal user experience is that users will stop using tightly controlled corporate applications and instead access consumer grade technology such as Gmail, Dropbox, and text messaging, increasing risk and ultimately reducing security.

As a next step, we'll ask our multi-stakeholer IS Security and Privacy Committee to review the literature (pro and con) about frequent password changes. They'll evaluate the risks and benefits of various password change frequencies and then we'll select a path forward which hopefully balances the risks of infrequent password changes and too frequent password changes.

Just as I asked about remote access, I welcome your comments about your password expiration frequency policies and experience.